The VidShop – Shoppable Videos for WooCommerce plugin is vulnerable to a time‑based SQL injection that allows unauthenticated attackers to use the "fields" parameter to inject or append arbitrary SQL statements into existing queries, thereby extracting sensitive information from the database. This flaw is a classic CWE‑89 vulnerability that compromises data confidentiality by permitting read‑only access to database contents without any form of authentication.

The vulnerability affects the WordPress plugin developed by WPCreatix named VidShop – Shoppable Videos for WooCommerce, with all releases up to and including version 1.1.4. Users of any version in that range are exposed; updating to a later release beyond 1.1.4 removes the issue.

The CVSS score for this flaw is 7.5, indicating a high severity, while the EPSS score is less than 1% and the vulnerability has not been added to CISA’s KEV catalogue. The attack vector is unauthenticated and relies on sending a crafted 'fields' value to the plugin’s REST‑API endpoint, which does not require user credentials. Deployment of the flaw results in data exfiltration without code execution, but it can still expose confidential database content to attackers. Given the low exploitation probability, the risk to already protected sites remains moderate, yet the severity warrants immediate action.